search

eteran / edb-debugger

edb is a cross-platform AArch32/x86/x86-64 debugger.
GNU General Public License v2.0
2.7k stars 326 forks source link

EDB UI detach from the debugged process on process restart via sys_execve #758

Open johnfound opened 4 years ago

johnfound commented 4 years ago

Sometimes in my projects, when running in 64bit Linux, a 32bit process needs to have personality of PER_LINUX32_3GB.

The program switches into this mode by calling the following procedure:

proc ___SwitchLinuxTo3GB
begin
        cmp     esp, $c0000000
        jb      .finish                 ; the system is 32bit

        mov     eax, sys_personality
        mov     ebx, -1
        int     $80

        test    eax, ADDR_LIMIT_3GB
        jnz     .finish                         ; everything is OK.

; set the needed personality
        mov     eax, sys_personality
        mov     ebx, PER_LINUX32_3GB
        int     $80
        test    eax, eax
        js      .finish       

; and restart the process
        mov     eax, [esp+4]          ; argument count
        mov     ebx, [esp+8]          ; the first argument is the name of the program.
        lea     ecx, [esp+8]          ; the arguments list.
        lea     edx, [ecx+4*eax+4]    ; the environment list.

        mov     eax, sys_execve
        int     $80
        int3

.finish:
        return
endp

As you can see, in the case of switching personality, the procedure restarts the whole process by calling sys_execve; On the second call of this procedure, it is already in the right personality and it exits through the .finish label.

But after the application restart, EDB user interface detaches from the debugged program.

However, the debugger remains attached and the user can step through the instructions or run/pause the program, but without any indication in the CPU, Data or Stack panels. All the registers are zeroed, but if their values are changed on the instructions stepping, they are updated (maybe) correctly.

I will attach a small demo program that switches to PER_LINUX32_3GB and then immediately exits:

edb_bug_demo.zip

--- Want to back this issue? **[Post a bounty on it!](https://www.bountysource.com/issues/91632563-edb-ui-detach-from-the-debugged-process-on-process-restart-via-sys_execve?utm_campaign=plugin&utm_content=tracker%2F14326212&utm_medium=issues&utm_source=github)** We accept bounties via [Bountysource](https://www.bountysource.com/?utm_campaign=plugin&utm_content=tracker%2F14326212&utm_medium=issues&utm_source=github).
eteran commented 4 years ago

Interesting, that's certainly an unaccounted for use case. We'll look into it!